Using serverless technologies is becoming more and more mainstream. Serverless may make your life easier in several contexts, however, you are always responsible for securing your code. As a developer, one of the things you need to know is how to store secrets safely. Just google “Github leaks”, and you will find how easy is finding logins, passwords and other sensitive information.

This is a series of blog posts about using AWS Lambda with the Serverless Framework. You can check previous similar blog posts like:

In the remaining parts, we will create secrets using AWS KMS, then call these secrets from our serverless code.

Using AWS KMS/SSM

This is how AWS defines its service:

AWS Key Management Service (AWS KMS) is a service that combines secure, highly available hardware and software to provide a key management system scaled for the cloud. AWS KMS uses customer master keys (CMKs) to encrypt your Amazon S3 objects.

With AWS Systems Manager Parameter Store, you can create Secure String parameters, which are parameters that have a plaintext parameter name and an encrypted parameter value. Parameter Store uses AWS KMS to encrypt and decrypt the parameter values of Secure String parameters

After creating the secret it will be encrypted using the generated key and we can view our secret using:

(Note that we are including the AWS key pair in our serverless.yml file which is not a good practice unless your files is not versioned and protected. We don’t prefer to complicate things for you right now but it could be a good practice to encrypt variables like ACCESS_KEY in the environment (build/test/prod/dev). This practice is more related to CI/CD and less to Serverless framework. Another way to configure your credential without using them in your yml file is using serverless config command:serverless config credentials --provider aws --key <ACCESS KEY ID> --secret <SECRET KEY> )